Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for generating an opaque data comprising a stream identifier, which identifies memory region and access controls permitted to be accessed by data fields of a packet containing the stream identifier, the packet being formatted in accordance with remote direct memory access over converged Ethernet, comprising: encrypting at least a part of the stream identifier with a first secret random data to provide an encrypted stream identifier; generating a digest by applying a cryptographic hash to the at least the part of the stream identifier; and combining the encrypted stream identifier with the digest to generate the opaque data, wherein the opaque data comprises a remote key (R-Key) in accordance with Infiniband specification.
2. The method as claimed in claim 1 , comprising: encrypting the entire stream identifier with the first secret random data to provide the encrypted stream identifier; and generating the digest by applying the cryptographic hash to the entire stream identifier.
3. The method as claimed in claim 1 , wherein the generating a digest by applying a cryptographic hash to the at least the part of the stream identifier comprises: generating the digest by applying the cryptographic hash to the at least the part of the stream identifier and a second secret random data.
4. The method as claimed in claim 1 , wherein the generating a digest by applying a cryptographic hash to the at least the part of the stream identifier comprises: generating the digest by applying the cryptographic hash to the at least the part of the stream identifier, a second secret random data, and a third data.
5. The method as claimed in claim 4 , wherein the third data do not need to be secret.
6. An apparatus for generating an opaque data comprising a stream identifier, which identifies memory region and access controls permitted to be accessed by data fields of a packet containing the stream identifier, the packet being formatted in accordance with remote direct memory access over converged Ethernet, comprising: an entity configured to encrypt at least a part of the stream identifier with a first secret random data to provide an encrypted stream identifier, to generate a digest by applying a cryptographic hash to the at least the part of the stream identifier, and to combine the encrypted stream identifier with the digest to generate the opaque data, wherein the opaque data comprises a remote key (R-Key) in accordance with specification implementing Infiniband specification.
7. The apparatus as claimed in claim 6 , wherein the entity is configured to: encrypt the entire stream identifier with the first secret random data to provide the encrypted stream identifier; and generate the digest by applying the cryptographic hash to the entire stream identifier.
8. The apparatus as claimed in claim 6 , wherein the entity is configured to: generate the digest by applying the cryptographic hash to the at least the part of the stream identifier and a second secret random data.
9. The apparatus as claimed in claim 6 , wherein the entity is configured to: generate the digest by applying the cryptographic hash to the at least the part of the stream identifier, a second secret random data, and a third data.
10. The apparatus as claimed in claim 9 , wherein the third data do not need to be secret.
11. The apparatus as claimed in claim 6 , wherein the entity comprises one of: a hypervisor; a virtual machine; and a virtual network interface card.
12. A method for reconstructing a stream identifier, which identifies memory region and access controls permitted to be accessed by data fields of a packet containing the stream identifier, the packet being formatted in accordance with remote direct memory access over converged Ethernet, comprising: receiving an opaque data at an entity that generated the opaque data, wherein the opaque data comprises a remote key (R-Key) in accordance with Infiniband specification; separating the opaque data into an encrypted stream identifier and a first digest; decrypting the encrypted stream identifier with a first secret random data to provide a decrypted stream identifier; and verifying the decrypted stream identifier using the first digest.
13. The method as claimed in claim 12 , further comprising: combining the decrypted stream identifier with a static part of the stream identifier when the decrypted stream identifier comprises a programmable part of the stream identifier.
14. The method as claimed in claim 12 , wherein the verifying the decrypted stream identifier comprises: generating a second digest by applying a cryptographic hash to the decrypted stream identifier; declaring the decrypted stream identifier verified when the first digest and the second digest are identical.
15. The method as claimed in claim 14 , wherein the generating a second digest by applying a cryptographic hash to the decrypted stream identifier comprises: generating the second digest by applying the cryptographic hash to the decrypted stream identifier and a second secret random data.
16. The method as claimed in claim 14 , wherein the generating a second digest by applying a cryptographic hash to the decrypted stream identifier comprises: generating the digest by applying the cryptographic hash to the decrypted stream identifier, a second secret random data, and a third data.
17. The method as claimed in claim 16 , wherein the third data do not need to be secret.
18. An apparatus for reconstructing a stream identifier, which identifies memory region and access controls permitted to be accessed by data fields of a packet containing the stream identifier, the packet being formatted in accordance with remote direct memory access over converged Ethernet, comprising: a virtual interface network card configured to receive an opaque data at an entity that generated the opaque data, wherein the opaque data comprises a remote key (R-Key) in accordance with Infiniband specification; to separate the opaque data into an encrypted stream identifier and a first digest; to decrypt the encrypted stream identifier with a first secret random data to provide a decrypted stream identifier; and to verify the decrypted stream identifier using the first digest.
19. The apparatus as claimed in claim 18 , wherein the virtual interface network card is configured to: combine the decrypted stream identifier with a static part of the stream identifier when the decrypted stream identifier comprises a programmable part of the stream identifier.
20. The apparatus as claimed in claim 18 , wherein the virtual interface network card is configured to: generate a second digest by applying a cryptographic hash to the decrypted stream identifier; declare the decrypted stream identifier verified when the first digest and the second digest are identical.
21. The apparatus as claimed in claim 20 , wherein the virtual interface network card is configured to: generate the second digest by applying the cryptographic hash to the decrypted stream identifier and a second secret random data.
22. The apparatus as claimed in claim 20 , wherein the virtual interface network card is configured to: generate the second digest by applying the cryptographic hash to the decrypted stream identifier, a second secret random data, and a third data.
23. The apparatus as claimed in claim 22 , wherein the third data do not need to be secret.
Unknown
April 12, 2016
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.